PT-2020-12735 · Avertx · Avertx Auto Focus Night Vision Hd Indoor/Outdoor Ip Dome Camera Hd838+1

Published

2020-07-23

·

Updated

2024-12-03

·

CVE-2020-11625

CVSS v2.0

5.0

Medium

VectorAV:N/AC:L/Au:N/C:P/I:N/A:N
Name of the Vulnerable Software and Affected Versions AvertX Auto focus Night Vision HD Indoor/Outdoor IP Dome Camera HD838 AvertX Night Vision HD Indoor/Outdoor Mini IP Bullet Camera HD438
Description The issue allows attackers to identify legitimate usernames through different responses to failed web UI login attempts. When a login request is sent to "ISAPI/Security/sessionLogin/capabilities" with an existing username, it returns the salt value associated with that username, even with an incorrect password. In contrast, a non-existent username returns an empty salt value. This facilitates brute-force attacks by enabling attackers to enumerate legitimate usernames.
Recommendations For AvertX Auto focus Night Vision HD Indoor/Outdoor IP Dome Camera HD838, consider restricting access to the "ISAPI/Security/sessionLogin/capabilities" endpoint to minimize the risk of exploitation. For AvertX Night Vision HD Indoor/Outdoor Mini IP Bullet Camera HD438, consider restricting access to the "ISAPI/Security/sessionLogin/capabilities" endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

Side Channel Attack

Weakness Enumeration

CWE-203

Related Identifiers

BDU:2025-05010
CVE-2020-11625

Affected Products

Avertx Auto Focus Night Vision Hd Indoor/Outdoor Ip Dome Camera Hd838
Avertx Night Vision Hd Indoor/Outdoor Mini Ip Bullet Camera Hd438